Tài liệu Configuring IPSec and Certification docx

CHAPTER

6-1

Cisco PIX Firewall and VPN Configuration Guide

78-13943-01

6

Configuring IPSec and Certification

Authorities

This chapter provides information about using IP Security Protocol (IPSec), Internet Key Exchange

(IKE), and certification authority (CA) technology with the PIX Firewall.

This chapter includes the following sections:

• How IPSec Works

• Internet Key Exchange (IKE)

• Using Certification Authorities

• Configuring IPSec

• Manual Configuration of SAs

• Viewing IPSec Configuration

• Clearing SAs

How IPSec Works

IPSec provides authentication and encryption services to protect unauthorized viewing or modification

of data within your network or as it is transferred over an unprotected network, such as the public

Internet. IPSec is generally implemented in two types of configurations:

• Site-to-site—This configuration is used between two IPSec security gateways, such as PIX Firewall

units. A site-to-site VPN interconnects networks in different geographic locations. For information

that is specific for configuring IPSec in this configuration, refer to Chapter 7, “Site-to-Site VPN

Configuration Examples.”

• Remote access—This configuration is used to allow secure remote access for VPN clients, such as

mobile users. A remote access VPN allows remote users to securely access centralized network

resources. For information that is specific for configuring IPSec in this configuration, refer to

Chapter 8, “Configuring VPN Client Remote Access.”

Two different security protocols are included within the IPSec standard:

• Encapsulating Security Protocol (ESP)—Provides authentication, encryption, and anti-replay

services.

• Authentication Header (AH)—Provides authentication and anti-replay services.

6-2

Cisco PIX Firewall and VPN Configuration Guide

78-13943-01

Chapter 6 Configuring IPSec and Certification Authorities

Internet Key Exchange (IKE)

IPSec can be configured to work in two different modes:

• Tunnel Mode—This is the normal way in which IPSec is implemented between two PIX Firewall

units (or other security gateways) that are connected over an untrusted network, such as the public

Internet.

• Transport Mode—This method of implementing IPSec is typically done with L2TP to allow

authentication of native Windows 2000 VPN clients. For information about configuring L2TP, refer

to “Using PPTP for Remote Access,” in Chapter 8, “Configuring VPN Client Remote Access.”

The main task of IPSec is to allow the exchange of private information over an insecure connection.

IPSec uses encryption to protect information from interception or eavesdropping. However, to use

encryption efficiently, both parties should share a secret that is used for both encryption and decryption

of the information.

IPSec operates in two phases to allow the confidential exchange of a shared secret:

• Phase 1, which handles the negotiation of security parameters required to establish a secure channel

between two IPSec peers. Phase 1 is generally implemented through the Internet Key Exchange

(IKE) protocol. If the remote IPSec peer cannot perform IKE, you can use manual configuration

with pre-shared keys to complete Phase 1.

• Phase 2, which uses the secure tunnel established in Phase 1 to exchange the security parameters

required to actually transmit user data.

The secure tunnels used in both phases of IPSec are based on security associations (SAs) used at each

IPSec end point. SAs describe the security parameters, such as the type of authentication and encryption

that both end points agree to use.

Internet Key Exchange (IKE)

This section describes the Internet Key Exchange (IKE) protocol and how it works with IPSec to make

VPNs more scalable. This section includes the following topics:

• IKE Overview

• Configuring IKE

• Disabling IKE

• Using IKE with Pre-Shared Keys

IKE Overview

IKE is a protocol used by IPSec for completion of Phase 1. IKE negotiates and assigns SAs for each

IPSec peer, which provide a secure channel for the negotiation of the IPSec SAs in Phase 2. IKE provides

the following benefits:

• Eliminates the need to manually specify all the IPSec security parameters at both peers

• Lets you specify a lifetime for the IKE SAs

• Allows encryption keys to change during IPSec sessions

• Allows IPSec to provide anti-replay services

• Enables CA support for a manageable, scalable IPSec implementation

• Allows dynamic authentication of peers